I just noticed that if the parent profile is in complain mode and the child profile is in enforce mode, it doesn't error out with permission denied, but also does honor the enforcing profiles rules.
Eg: #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <time.h> #include <limits.h> #include <stdarg.h> #include <sys/apparmor.h>
int main(int argc, char *argv[]) { char *profile_name = "foo"; int fd;
if (aa_change_profile(profile_name) != 0) { perror("could not change profile"); exit(1); }
if ((fd = open("/tmp/foo", O_CREAT|O_TRUNC, 0644)) == -1) { printf("confined\n"); exit(0); } printf("unconfined\n"); close(fd);
exit(1); }
$ cd /tmp $ gcc -lapparmor ./foo.c
$ cat /etc/apparmor.d/tmp.a.out #include <tunables/global>
/tmp/a.out flags=(complain) { #include <abstractions/base> /** rwmkl,
change_profile -> foo, }
profile foo { /** rwmkl, audit deny /tmp/foo rw, }
$ ./a.out unconfined [1] $ ls -l /tmp/foo -rw-r--r-- 1 jamie jamie 0 2009-08-05 16:56 /tmp/foo
Using the following profile: $ cat /etc/apparmor.d/tmp.a.out #include <tunables/global>
/tmp/a.out { #include <abstractions/base> /** rwmkl,
$ /tmp/a.out could not change profile: Permission denied [1]
I just noticed that if the parent profile is in complain mode and the child profile is in enforce mode, it doesn't error out with permission denied, but also does honor the enforcing profiles rules.
Eg:
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <time.h>
#include <limits.h>
#include <stdarg.h>
#include <sys/apparmor.h>
int main(int argc, char *argv[]) {
char *profile_name = "foo";
int fd;
if (aa_change_ profile( profile_ name) != 0) {
perror( "could not change profile");
exit(1);
}
if ((fd = open("/tmp/foo", O_CREAT|O_TRUNC, 0644)) == -1) {
printf( "confined\ n"); "unconfined\ n");
exit(0);
}
printf(
close(fd);
exit(1);
}
$ cd /tmp
$ gcc -lapparmor ./foo.c
$ cat /etc/apparmor. d/tmp.a. out
#include <tunables/global>
/tmp/a.out flags=(complain) {
#include <abstractions/base>
/** rwmkl,
change_profile -> foo,
}
profile foo {
/** rwmkl,
audit deny /tmp/foo rw,
}
$ ./a.out
unconfined
[1]
$ ls -l /tmp/foo
-rw-r--r-- 1 jamie jamie 0 2009-08-05 16:56 /tmp/foo
Using the following profile: d/tmp.a. out
$ cat /etc/apparmor.
#include <tunables/global>
/tmp/a.out {
#include <abstractions/base>
/** rwmkl,
change_profile -> foo,
}
profile foo {
/** rwmkl,
audit deny /tmp/foo rw,
}
$ /tmp/a.out
could not change profile: Permission denied
[1]